Snowflake supports caching browser-based SSO authentication using an ID token. Any idea how long this token is valid for? I can't see any mention in the docs.
At least a cached MFA token is valid up to 4h.
https://docs.snowflake.com/en/user-guide/security-mfa.html#label-mfa-token-caching
Related
I have a cognito User Pool with 1 client that is configured with 2 identity providers, Cognito User Pool and a SAML provider that links an Azure AD instance. The Allowed OAuth Flows is set Implicit grant only. Login via the Cognito User Pool provider is done using the InitiateAuthCommand in the #aws-sdk/client-cognito-identity-provider library. From this an id_token, access_token and refresh token are all returned.
Login via the SAML provider is done by using the template link provided in the cognito developer docs (https://your_Amazon_Cognito_userpool_domain/authorize?
response_type=code&identity_provider=your-SAML-IdP-name&client_id=your-
client-id&redirect_uri=https://your_application_redirect_url). This login works, however only an id_token and access_token are returned (no refresh token).
How can I get cognito to issue a refresh token for users logged in via the SAML provider
Cognito should not return a refresh token for Implicit grant flow. That is the intended behaviour according to the specification:
The authorization server MUST NOT issue a refresh token.
Also using the implicit flow is highly discouraged due to vulnerabilities.
Please consider using Authorization code grant flow along with PKCE. With that you can get the refresh token.
The reason you get the refresh token along with the aws-sdk is, because it should be using a different Auth flow (example: USER_PASSWORD_AUTH) as mentioned in the document.
Im able to login to my angularjs app using the angular adal library
I can get a token and verify this token. My question is the following:
If i signout, should the token get revoked automatically? If not, how do i do so?
Currently Azure Active Directory does not support or provide an endpoint for an application to revoke the access/refresh tokens.
You may read more about configurable token lifetimes in Azure Active Directory to check the policies on token lifetimes and adjust that base on your requirement .
There is a sample logout code that you may be able to integrate as a workaround.
See: Can Azure AD ADAL (ios) refresh token be revoked from the client?
I've been messing around with MSAL having previously used ADAL for sign up & secure API calls within AAD
I have a user case now requiring sign up and sign in but bafflingly MSAL - even tho there's a method for returning user name - is incapable currently of returning you anything about the user from the B2C token
The workaround seems horribly contrived so I'm considering abandoning MSAL and going back to ADAL or other providing the Sign Up or Sign in is also available
Can anyone recommend me a library or method of achieving Sign Up directly into AAD using ADAL or other please?
is incapable currently of returning you anything about the user from
the B2C token
ADAL supports for v1 endpoint.B2C uses v2 endpoint, and the MSAL is designed to support v2, so you could not use ADAL for the B2C Sign Up. If you want to get user information in the token, suggest you use the OpenId Connect. In the OpenId Connect, the id_token includes the user information.
You could use jwt.io to parse the id_token, and you could find username in the id_token:
For the details about OpenId Connect in B2C, please read here.
ADAL and MSAL are incompatible
MSAL doesn't support Graph
OpenID Connect needs an authorisation code so isn't appropriate for the workflow
The answer I figured out was to install ADAL into my API, then when the user logs in on the app send securely the GUID from the token to the API which can then communicate with the Graph and return user profile info
Does IBM Single Sign On service allows to use JWT tokens, not cookie based session approach?
I have web project with backend in Node.js and frontend in Angular.js as separate applications. So I would need a SSO that works with JWT tokens.
There are two parts to your question: (1) Does IBM SSO use JWT tokens and (2) Can we use the JWTs as session tokens for an Angular app.
(1)
IBM SSO service has been deprecated in favor of IBM Cloud App ID which manages identity for different types of identities (including anonymous and directory based) as well as profile management. The service is OAuth2/OIDC compliant and so the access and identity tokens that clients obtain are all JWT.
(2) Check out this blog on how to secure an Angular+Nodejs app with App ID. An important point here is whether you want to use the JWT you get from App ID as your session token. Remember that your App ID access token gives the bearer capability beyond that of the session identity (it give the bearer access to /userinfo and /attribute endpoints as well) so that unless you are ok with exposing this info to your frontend, create and manage your own JWT for session or use Express sessions.
You want to use the IBM Cloud App ID service which provides the single sign on capabilities (IBM SSO service has been deprecated). It provides openID Connect- and OAuth2-compliant authentication. The access and identity are JWTs (JSON Web Token).
I would recommend that you check out the related App ID Node.js SDK. There are samples that show integration with the passport framework. I have seen it in use with Angular.js apps.
I am developing an angular app which currently has authentication with cookies and session. But I want to use jwt authentication.
And I have a doubt that if that token is stolen then the complete authentication is stolen?
And If there is no expiry date is that a risk?
Because if I login in my computer then the token always resides in the browsers local storage and if anyone steals that token from my computer, they have the access to my account. Then how is it a secure authentication
Please help me in understanding the risks and the way this works.
Thank you
Yes, in the absence of the exp (expiration time) claim and if your token is stolen, you will have a serious security problem.
This can be mitigated by the audience if a jti (token ID) claim is set, but necessitate a storage (e.g. database, and filesystem...) with all revoked jti.
As per OpenID Connect Core Specification, ID Token must have an exp with usually no more than a few minutes.
I think that all authentication providers that use JWT should follow this requirement.